lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 20 Aug 2020 21:16:59 -0400
From:   Carolyn Wyborny <>
Subject: [RFC PATCH net-next 0/2] Granular VF Trust Flags for SR-IOV

Proposal for Granular VF Trust Flags for SR-IOV

I would like to propose extending the concept of VF trust in a more
granular way by creating VF trust flags. VF Trust Flags would allow more
flexibility in assigning privileges to VF's administratively in SR-IOV.
Users are asking for more configuration to be available in the VF.
Features for one use case like a firewall are not always wanted in a
different type of privilegd VF.  If a base set of generic privileges could be
configured in a more granular way, they can be combined in a more flexible
way by the user.

The implementation would do this by by adding a new iflattribute for trust
flags which defines the flags in an nla_bitfield32.  The changes `would
also include changes to .ndo_set_vf_trust parameters, different or converted
settings in .ndo_get_vf_config, kernel validation of the trust flags and
driver changes for those that implement .ndo_set_vf_trust. There will also
be changes proposed for ip link in the iproute2 toolset.

This patchset provides an example implementation that is not complete.
It does not include the full validation of the feature flags in the kernel,
all the helper macros likely needed for the trust flags nor all the driver
changes needed. It also needs a method for advertising supported privileges
and validation to ensure unsupported privileges are not being set.
It does have a simple example driver implementation in igb.  The full
patchset will include all these things.

I'd like to start the discussion about the general idea and then begin the
dicussion about a base set of VF privleges that would be generic across the
device vendors.


Carolyn Wyborny (2):
      net:  Implement granular VF trust flags
      igb: Implement granular VF trust flags

 drivers/net/ethernet/intel/igb/igb.h      |    2 +
 drivers/net/ethernet/intel/igb/igb_main.c |   21 ++++++-----
 include/linux/if_link.h                   |    2 +
 include/linux/netdevice.h                 |    4 +-
 include/uapi/linux/if_link.h              |   53 ++++++++++++++++++++++++++++-
 net/core/rtnetlink.c                      |   41 +++++++++++++++++++++-
 tools/include/uapi/linux/if_link.h        |   53 ++++++++++++++++++++++++++++-
 7 files changed, 157 insertions(+), 19 deletions(-)


Powered by blists - more mailing lists